With the widespread use of the Internet, attempts to defraud people have also increased. Thus, it is vital to develop strong authentication techniques. Two prevalent fraud attempts are phishing and man-in-the-middle (MITM) attacks. Phishing involves the non-real-time collection of usernames and passwords and other sensitive data. These data could later be used by the attacker to defraud users. MITM can be described as phishing plus real-time proxying. Others have attempted to combat phishing and MITM attacks, as discussed in the following examples. Note in each that the user is ultimately required to exercise judgment. Hence, the user allows his or herself to fall victim to the attack.
Hardware cryptography, for instance, is an inadequate solution because users are required to make judgments about whether their browsers are connected to a server over SSL, whether a certificate has the proper name on it, and whether the trusted root certificates are indeed trustworthy. Some operators of secure servers repeatedly warn their users not to disclose passwords and caution that their staffs will not ask users to reveal passwords.
Another popular attempt requires users to choose pictures, and a user's selection is stored in the user's profile. When the user accesses the related secure server, the user is requested to look for his or her picture and end the session if he or she does not see it. But many users continue without seeing their picture. Moreover, real time proxying can be used to circumvent this type of security, because again, the user is required to make a judgment.
Temporary password solutions, wherein an application or the like provide a user with passwords in synchrony with the server, also may be defeated via MITM attacks. This is also the case because the user has to judge whether a web site is the legitimate one or a fake one.
Other attempted solutions include plugins or other browser enhancements that alert users to known fraudulent sites. Such solutions do not aid roaming users and are powerless against “new” fraudsters. Hence, improvements are needed.